Homebrew is the de facto package manager for macOS. Homebrew Cask extends it to install graphical applications -- the ones you would normally download from a vendor website and drag to your Applications folder. For developers, brew install --cask firefox is faster than visiting a website, clicking through download pages, and manually installing.
But that convenience comes with security trade-offs that most users never consider. What happens between brew install --cask and the application appearing on your machine?
How Homebrew Cask Works
When you install a cask, Homebrew downloads the application from a URL specified in the cask formula, verifies it against a SHA-256 checksum (also specified in the formula), and installs it. The formula is a Ruby file stored in the homebrew-cask GitHub repository.
The formulas are maintained by a combination of Homebrew maintainers and community contributors. When a new version of an application is released, someone (often a bot or contributor) updates the formula with the new URL and checksum.
What Gets Verified
SHA-256 checksum. Every cask formula includes a SHA-256 hash of the download. Homebrew verifies this hash after download, ensuring the downloaded file matches what the formula author intended.
Formula review. Changes to cask formulas go through GitHub pull requests that are reviewed by Homebrew maintainers. This review catches obviously malicious formula changes.
macOS Gatekeeper. After Homebrew installs the application, macOS Gatekeeper checks the application code signature and notarization status. Applications that are not signed or notarized by a registered Apple developer trigger warnings.
What Does NOT Get Verified
The application itself is not audited. Homebrew verifies that you received the file the formula author intended. It does not verify that the file is safe. If the vendor distributes a compromised application, Homebrew will faithfully install it.
Download source integrity. The formula points to a URL (typically the vendor website or GitHub releases). If that URL is compromised (domain takeover, CDN compromise, server hack), the attacker can replace the binary. The formula checksum will catch this -- but only until the formula is updated to match the new (malicious) checksum.
Formula contributor identity. Anyone with a GitHub account can submit a pull request to update a cask formula. While maintainers review these PRs, the review is primarily for correctness (does the URL work, is the checksum correct), not for whether the linked binary is safe.
Auto-update bypass. Many applications installed through Homebrew Cask include their own auto-update mechanisms (Sparkle, for example) that bypass Homebrew entirely. Future updates to these applications are not verified by Homebrew at all.
Supply chain of the application. Homebrew does not examine the dependencies, build process, or supply chain of the applications it distributes. A cask application could contain vulnerable libraries, malicious embedded code, or trojanized components.
Attack Scenarios
Domain Takeover
Cask formulas include download URLs. If the vendor domain expires or is otherwise available for registration, an attacker can take over the domain and serve malicious binaries at the expected URL. If the formula is updated (by the attacker or an automated bot) with the new checksum, Homebrew installs the malicious binary.
The Homebrew team has processes to detect domain takeovers, but the window between takeover and detection is a vulnerability window.
Compromised Vendor Distribution
If a software vendor build server or distribution infrastructure is compromised (as in the 3CX and SolarWinds attacks), the compromised binaries are distributed through Homebrew alongside every other distribution channel.
Homebrew has no additional verification beyond what the vendor provides. If the vendor serves a signed, notarized, compromised binary, Homebrew installs it without question.
Formula PR Manipulation
A malicious contributor could submit a PR that updates a formula to point to an attacker-controlled URL. The review process should catch this, but formula PRs are numerous and reviews focus on format rather than deep URL verification.
Defensive Measures for Organizations
Use a curated cask list. Define an approved list of cask applications for your organization. Monitor the formulas for these casks for unexpected changes.
Verify code signatures. After installation, verify that the application is signed by the expected developer. The codesign -dv command on macOS shows the signing identity.
Monitor Homebrew tap changes. Subscribe to changes in the homebrew-cask repository for applications your organization uses. GitHub notifications can alert you to formula changes.
Use MDM for application distribution. For managed macOS fleets, use an MDM solution (Jamf, Kandji) that provides additional verification and control over application installation.
Keep Homebrew updated. Homebrew itself receives security updates. Run brew update regularly to ensure you have the latest formula corrections and Homebrew security patches.
Disable auto-update in cask applications. Where possible, disable in-app auto-update and manage updates through Homebrew or MDM. This ensures updates go through your verification process.
How Safeguard.sh Helps
Safeguard.sh extends supply chain monitoring to your developer workstation tooling. Our platform tracks the applications installed through Homebrew and other package managers on developer machines, monitors for compromised distributions, and generates inventories of developer-side software. When a Homebrew cask application is found to contain vulnerable components, Safeguard.sh alerts your team and provides remediation guidance.